From Supply Chains to Spacecraft: Taking an Integrated Approach to Cybersecurity in Space
“Today, there’s enormous excitement around some really highly visible developments, but almost ironically, the most essential space-based services are often invisible to us as users and at the same time invaluable in our daily lives and in the functioning of our society,” said Dr. Jamie M. Morin, Executive Director of the Center for Space Policy and Strategy at The Aerospace Corporation, at a Wilson Center event held July 14.
From weather forecasts to GPS systems, we are reliant on the services provided by space assets everyday. However, as cybersecurity becomes an increasingly pressing concern, these services are put further at risk. Both public and private space organizations must incorporate cyber defenses into space architecture to protect the United States' assets from cyberattacks, according to speakers from The Aerospace Corporation and the Space Information Sharing and Analysis Center (ISAC). Throughout the program, the speakers explored the intersection of space systems and cybersecurity, discussing the vulnerabilities faced by space technology and the steps that can be taken to reduce the risk of potential cyberattacks.
Addressing the Growing Significance of Space Technology & Cybersecurity
In his opening remarks, Morin noted key ways in which the average American interacts with space systems, including timing synchronization, banking systems, and emergency service provisions. “Space is really fully integrated into our society and it’s becoming more so everyday,” said Morin. “Both U.S. national security and our economic prosperity are dependent on space to a degree that most people just don’t fully appreciate.”
Space systems are not one of the 16 critical infrastructure sectors that are recognized as vital to U.S. national security and economy. However, developments in space technology, from advancing rocket designs to commercial deorbit services, are elevating space systems towards an official critical infrastructure designation, according to Erin Miller, Executive Director of the Space ISAC. “Even before Richard Branson travelled, space systems were and are critical infrastructure… It’s not necessarily the degree to which we’re dependent that makes the case, it’s just the fact that we are dependent upon space systems,” she said.
At the same time that our dependence on space has grown, the increased threat of cyberattacks has become a frightening reality for governments and individuals alike. “If you’ve even modestly been following the news, it’s clear that adversaries—criminal adversaries, state adversaries, a melange of both—are using cyberattacks that have an increasing sophistication and they are reaching a wider impact then they have before,” said Morin. “There is no reason to believe that trend isn’t going to continue.”
Space systems are not exempt from cyberattacks by any means, whether the ground stations to satellites in orbit, or the data links in between. This begs the question Morin posed to the speakers: “What needs to be done, both from a policy standpoint but also at the technical level—where the metaphorical rubber meets the road—to protect our space systems from cyberattacks?”
Tackling the Unique Vulnerabilities of Space Technologies & Systems
Space systems—which are composed of the vehicles and infrastructure needed to complete a task in the space environment, including but not limited to ground stations, data links, and satellites—are vulnerable to cyberattacks at multiple points, noted several speakers. “Satellites present a unique challenge: [they] have a limited amount of storage, memory and power on board and once you launch it, that’s what you get,” explained Prashant Doshi, Associate Principal Director of the Cyber Security Subdivision. “You have to run the mission on the hardware that’s already there. So there’s not a lot of extra hardware leftover to run McAfee or some other anti-virus [software].”
When thinking about protecting space infrastructure, you have to look at the entire space system, according to Miller, because all elements involved are vulnerable to cyberattacks. For example, low costs to entry and a wide pool of capable adversaries—from “script kiddie” hackers to sophisticated state actors—fosters an environment where an attack against a ground station could come from anywhere.
Additionally, as more and more adversaries place spacecraft in orbit and establish their capacity to conduct command link intrusions, the risk of satellite disruption or even loss of operational control to an adversary increases. The consequences of a cyberattack on space infrastructure can be “anything from temporary disruption to complete mission failure,” noted Brandon Bailey, The Aerospace Corporation’s Cybersecurity Senior Project Leader in the Cyber Assessments and Research Department.
The commercialization of the supply chain introduces new risk as well. Satellites used to be built according to a “boutique” model, where one satellite was uniquely designed for its purpose. However, with space becoming more accessible to a greater number of operators, it is now more common to use off-the-shelf components. This means that all satellites are vulnerable to cyber intrusion if even one part of their shared supply chain is corrupted. This threat of supply chain intrusion, alongside the nature of cyberattacks in general, means that the consequences of supply chain attacks by adversaries could be wide-reaching. “It may not be practical to fire hundreds of thousands of missiles at once, but it may be possible, with a single [cyber]attack, to attack multiple spacecraft,” said Ryan Speelman, Principal Director of The Aerospace Corporation’s Cyber Security Subdivision.
Fortifying the Supply Chain through Information Sharing
One of the conclusions reached by the panel was that unique threats to space systems are not being addressed to the same extent as unique threats to other critical infrastructures. In order to address these vulnerabilities and prevent such attacks from taking place, several panelists noted that the U.S. must incorporate cybersecurity planning into all stages of space system development. The first step to reaching this goal is increasing collaboration and information sharing among government organizations, commercial companies, and international partners in the space industry.
According to Speelman, the government uses a higher standard of defense and security requirements for space systems than private companies do. This becomes a problem when commercial companies do not fortify their space system components against cyberattacks. “It may be easy for DOD missions and the military to say, ‘well we don’t care.’ But when we’re buying a bunch of services, potentially bandwidth and other things from them, it becomes a really big deal,” he said.
This alludes to a problem faced by space system developers: due to the different regulations and requirements used by firms and within the government, it is difficult to ensure that components from all levels of the supply chain have the same quality of cyber protection. Miller explained that promoting transparency across the industry will be vital to securing the entire supply chain for space technologies. “I’m not asking that we specifically regulate those companies, I’m asking that in the Space ISAC that we come together and we collaborate,” said Miller. “So that we’re all aware of the baseline expectation for cybersecurity and we have active information sharing, so we have actionable intelligence around the threats.”
With the increasing prevalence of threats like ransomware attacks, information sharing across sectors and stakeholders will only become more critical. “We need to be very concerned and aware of whether or not the space industry has visibility on these different types of attacks and [when] they’re getting the information in a timely manner, it’s going to the right people who can take action,” Miller stated.
Overcoming Classification Barriers: Sharing What You Can
Transparency can be a difficult goal to reach in an industry where classification and intellectual property protection are salient concerns. However, there are ways to address potential vulnerabilities without divulging sensitive information. “To help somebody, you don’t necessarily need to right away share everything you have. Just the fact that you believe something is going on and it affects this particular subsystem—you don’t necessarily have to say what it is—that could be really useful for a lot of people… A little bit of information early on can help quite a bit.” said Speelman.
The Space ISAC and other government agencies are working to provide as much information as possible even with classification restrictions. Designating space systems as a critical infrastructure would help the flow of information. As Miller noted, “There’s a concerted effort towards making sure that the information that doesn’t need to be classified, that needs to be out there in the global space community, is reaching the global space community... We need to empower them, those space system critical infrastructure owners and operators, and give them the information they need.”
For successful prevention, information sharing must take place all the way down the supply chain, taking special effort to share information with small and medium sized companies involved in space system development. It’s not enough to target the large companies and organizations in this effort, because “if you’re not sharing that with your supply chain, then you’re introducing additional unnecessary risk,” said Miler.
Building Resilience in Space Using a Defense-in-Depth Model
On a more technical level, the panelists discussed strategies to build resiliency by fortifying space systems at multiple levels and leveraging new modeling technologies to test space systems. According to Bailey, the U.S. must incorporate a defense-in-depth model within its space systems to ensure that multiple layers, from the software to the encryption, are fortified against attack. “That’s another way to look at [defense-in-depth]: redundancy in your defenses,” he explained, noting that these defenses should provide not only preventative measures, but detection and recoverability capacity as well.
Penetration testing is another critical component to finding and mitigating vulnerabilities before they become problems, according to Speelman. “If we are not constantly attacking and finding holes and vulnerabilities in our own systems, our adversaries will do it for us,” he said. “I don’t think you can ever say your system is secure unless you're willing to try and break it yourself.” While project managers are hesitant to put their systems at risk, additional system engineering around the test itself and evolving digital twin technology allow penetration tests to be conducted without significant risk to the space asset itself.
Next Steps: Moving the Space Industry Towards Greater Cyber Awareness
Cybersecurity is not an issue that can be ignored or glossed over. If the U.S. is not proactive in securing its space systems against cyberattack, our adversaries will undoubtedly take advantage of our vulnerabilities. “We make ourselves as a country so vulnerable to a disruption in our space systems that it really will affect our society and quality of life. On that day when we get into a conflict, we will not be ready for [it].” said Doshi.
In order to fortify space systems, policymakers, engineers, and private corporations must make a concerted effort to change the way we develop and operate spacecraft. Cybersecurity must be built into each layer of the spacecraft’s design and at each stage of the supply chain, an endeavor that will require an entire industry to adjust its operating procedures. “If we can get as many people as possible pushing in that direction, I think we can make some big progress,” concluded Speelman.
About the Author
Science and Technology Innovation Program
The Science and Technology Innovation Program (STIP) brings foresight to the frontier. Our experts explore emerging technologies through vital conversations, making science policy accessible to everyone. Read more